Firewall Wizards mailing list archives
Re: Jboss in a DMZ?
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 6 Oct 2003 14:42:12 -0400 (EDT)
bugtraq'ed today: ================================ Illegalaccess.org Security Alert ================================ Date : 10/04/2003 Application : JBoss, java server for running J2EE enterprise applications Version : 3.2.1 Website : http://www.jboss.org Problems : Denial-Of-Service, Log Manipulation, Manipulation of Process variables, Arbitrary Command Injection Might take alot of lockdown work! Thanks, Ron DuFresne On Tue, 30 Sep 2003, Adam Shostack wrote:
I'm looking to deploy jboss in a security sensitive (dmz-like) situation. Jboss wants to listen on a lot of ports, and my attempts to firewall it (using ipfilter) aren't going well. Has anyone done this? Are you willing to share the firewalling rules you used? Allowing all localhost->localhost didn't work. Will jboss respect tcp wrappers? Is there a way to specify listen on localhost only in the attributes? Naively throwing locahost:8083 in here (service.xml) didn't work: <mbean code="org.jboss.web.WebService" name="jboss:service=Webserver"> <attribute name="Port">8083</attribute> Adam
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Jboss in a DMZ? R. DuFresne (Oct 06)